BestTechie Forums: Spyware Or Hijack Problem - BestTechie Forums

Jump to content

Recommended Software

Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Spyware Or Hijack Problem Search site keeps popping up.


#1 User is offline   jdrichar 

  • Member
  • Pip
  • Group: Members
  • Posts: 1
  • Joined: 09-October 04

Posted 09 October 2004 - 11:21 AM

When browsing, a site (http://t.swapx.cc/h.php?aid=80) pops up frequently. Certain sites, like my e-mail, cannot even be viewed. Also, I get two porn sites added to my favorited, and no matter how many times I delete them, they always ome back. Here is my HjT log:

Logfile of HijackThis v1.98.2
Scan saved at 10:26:03 AM, on 10/9/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\swxkqg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Juno6\qs\exec.exe
C:\Program Files\Juno6\qs\exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\nmain.exe
c:\PROGRA~1\NORTON~1\navw32.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZMOF7DW9\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=80
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s...ch?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=80
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.gateway.net
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\RXLNFU~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_5.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [gggvrepb] C:\WINNT\System32\swxkqg.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus C40 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C40 Series" /O6 "USB001" /M "Stylus C40"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\hcm.exe" -w
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINNT\d3wz.dll,Install
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\kxqwxepb.exe
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downlo...es/IA/ia_XP.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/.../yiebio4025.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDE86981-BFC4-4A79-A9E0-C137686791F8}: NameServer = 64.136.28.120 64.136.20.120
O20 - AppInit_DLLs: vz29kvl7s1zl0.dll

#2 User is offline   robroy 

  • One Crazy Scot
  • PipPipPipPipPipPip
  • Group: Members
  • Posts: 4165
  • Joined: 23-August 04
  • Location:West Virginia
  • Operating System:windows 7 windows vista SuSe Iccaros Ubuntu

Posted 09 October 2004 - 11:26 AM

Sounds like a hijack
have you run ad aware, spybot s & d etc.
Move hijack this to its own folder away from the temporary internet folder wher it could get deleted
JD

#3 User is offline   therock247uk 

  • Malware Killer
  • PipPipPipPipPip
  • Group: Members
  • Posts: 960
  • Joined: 24-August 04
  • Location:Newark, Nottingham, UK

Posted 09 October 2004 - 11:39 AM

1. Download adaware from http://www.lavasoft....pport/download/ install it and update it. Dont run the scan with it yet we will do that later on.

2. Ok go into safemode following instructions on http://service1.symantec.com/SUPPORT/tsgen...001052409420406

3. When in safemode. Open Adaware which is what you downloaded earlyer.

Before scanning with Ad-aware SE Free:
Run a FULL adaware scan using the following configuration below
Click Start
Select Perform Full System Scan and hit Next to let Ad-Aware scan your drives.
It will list malware files and registry keys. Click Next.
Under the Critical Objects tab, rightclick in the list, choose Select All, then Next.
It will ask for verification of checked items. Choose OK.
Close Ad-Aware, Reboot into normal mode.

4. Then post a new Hijakckthis log here in a reply.

This post has been edited by therock247uk: 09 October 2004 - 11:40 AM

#4 User is offline   therock247uk 

  • Malware Killer
  • PipPipPipPipPip
  • Group: Members
  • Posts: 960
  • Joined: 24-August 04
  • Location:Newark, Nottingham, UK

Posted 09 October 2004 - 01:54 PM

Ok because you cannot run both Adaware and housecall we are going to do this.

1. Make sure you have show hidden files on go here for instructions. http://www.xtra.co.n...1916458,00.html Boot into safemode if you dont know how go here for Instructions. http://service1.symantec.com/SUPPORT/tsgen...001052409420406

2. While in safemode. Open Hijackthis and click scan. Then tick and fix the following in hijackthis with all windows closed except Hijackthis leaving hijackthis the only program open.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=80
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=80
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\RXLNFU~1.DLL
O4 - HKLM\..\Run: [gggvrepb] C:\WINNT\System32\swxkqg.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINNT\d3wz.dll,Install
O4 - Global Startup: winlogin.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\kxqwxepb.exe
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downlo...es/IA/ia_XP.cab
O20 - AppInit_DLLs: vz29kvl7s1zl0.dll

3. Go to Start, Control Panel, Add/Remove and uninstall Wintools if it is there.

4. Delete the folders.


C:\Program Files\Submit\
C:\Program Files\Common Files\WinTools\
C:\Program Files\SideFind\

5. Delete the files.

C:\WINNT\System32\swxkqg.exe
image.dll < Might be in C:\WINNT\ or C:\WINNT\System32
vz29kvl7s1zl0.dll < Might be in C:\WINNT\ or C:\WINNT\System32
C:\Program Files\Internet Explorer\kxqwxepb.exe
C:\WINNT\System32\RXLNFU~1.DLL < File starts with RXLNFU

6. Reboot into normal mode and post a new Hijackthis log here in a reply.

This post has been edited by therock247uk: 09 October 2004 - 02:04 PM

#5 User is offline   Chappy 

  • Master of my Personal Space
  • Group: Windows Experts
  • Posts: 1430
  • Joined: 21-September 04
  • Location:Regina Sask/Canada
  • Operating System:Vista Ultimate & Win XP Pro SP2

Posted 09 October 2004 - 11:09 PM

I also noticed that neither XP nor IE have any patches applied. This is a very dangerous way to run your machine as many known vulnerabilities exist and can be exploited along with your spyware problems.

Please visit MS Windows Update and apply SP2 for XP and IE.

Dave
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users